Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for WordPress by Automattic
CVE-2025-58674 (GCVE-0-2025-58674)
Vulnerability from nvd – Published: 2025-09-23 18:47 – Updated: 2026-04-28 16:13 X_Open Source
VLAI
Title
WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/wordpre… | vdb-entry |
| https://wordpress.org/news/2025/09/wordpress-6-8-… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:15:09.886956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:17:35.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "savphill (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.\u003c/span\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:46.266Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58674",
"datePublished": "2025-09-23T18:47:02.628Z",
"dateReserved": "2025-09-03T09:03:46.831Z",
"dateUpdated": "2026-04-28T16:13:46.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58246 (GCVE-0-2025-58246)
Vulnerability from nvd – Published: 2025-09-23 17:17 – Updated: 2026-04-28 16:13 X_Open Source
VLAI
Title
WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.
This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/wordpre… | vdb-entry |
| https://wordpress.org/news/2025/09/wordpress-6-8-… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T18:30:39.501670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:37:38.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
},
{
"lang": "en",
"type": "reporter",
"value": "Timothy Jacobs"
},
{
"lang": "en",
"type": "reporter",
"value": "Peter Wilson"
},
{
"lang": "en",
"type": "reporter",
"value": "Mike Nelson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\nThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:42.821Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58246",
"datePublished": "2025-09-23T17:17:12.399Z",
"dateReserved": "2025-08-27T16:19:44.959Z",
"dateUpdated": "2026-04-28T16:13:42.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32111 (GCVE-0-2024-32111)
Vulnerability from nvd – Published: 2024-06-25 13:35 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress core < 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wor… | vdb-entry |
| https://wordpress.org/news/2024/06/wordpress-6-5-5/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automattic | WordPress |
Affected:
6.5 , ≤ 6.5.4
(custom)
Affected: 6.4 , ≤ 6.4.4 (custom) Affected: 6.3 , ≤ 6.3.4 (custom) Affected: 6.2 , ≤ 6.2.5 (custom) Affected: 6.1 , ≤ 6.1.6 (custom) Affected: 6.0 , ≤ 6.0.8 (custom) Affected: 5.9 , ≤ 5.9.9 (custom) Affected: 5.8 , ≤ 5.8.9 (custom) Affected: 5.7 , ≤ 5.7.11 (custom) Affected: 5.6 , ≤ 5.6.13 (custom) Affected: 5.5 , ≤ 5.5.14 (custom) Affected: 5.4 , ≤ 5.4.15 (custom) Affected: 5.3 , ≤ 5.3.17 (custom) Affected: 5.2 , ≤ 5.2.20 (custom) Affected: 5.1 , ≤ 5.1.18 (custom) Affected: 5.0 , ≤ 5.0.21 (custom) Affected: 4.9 , ≤ 4.9.25 (custom) Affected: 4.8 , ≤ 4.8.24 (custom) Affected: 4.7 , ≤ 4.7.28 (custom) Affected: 4.6 , ≤ 4.6.28 (custom) Affected: 4.5 , ≤ 4.5.31 (custom) Affected: 4.4 , ≤ 4.4.32 (custom) Affected: 4.3 , ≤ 4.3.33 (custom) Affected: 4.2 , ≤ 4.2.37 (custom) Affected: 4.1 , ≤ 4.1.40 (custom) |
Date Public
2024-06-25 13:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T13:40:36.313046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T19:20:35.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:06:44.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-5-5-contributor-arbitrary-html-file-read-windows-only-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "6.5.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.4",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.4",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.4",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.6",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.8",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.9",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.9",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.11",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.13",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.14",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.15",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.17",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.20",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.18",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.22",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.21",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.26",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.25",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.25",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.24",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.28",
"status": "affected",
"version": "4.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.6.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.6.28",
"status": "affected",
"version": "4.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.5.32",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.5.31",
"status": "affected",
"version": "4.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.4.33",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.4.32",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.3.34",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.33",
"status": "affected",
"version": "4.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.2.38",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.2.37",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.1.41",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.1.40",
"status": "affected",
"version": "4.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"value": "Edouard L. (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"value": "David Fifield"
},
{
"lang": "en",
"type": "finder",
"value": "x89"
},
{
"lang": "en",
"type": "finder",
"value": "apple502j"
},
{
"lang": "en",
"type": "finder",
"value": "mishre"
}
],
"datePublic": "2024-06-25T13:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Automattic WordPress allows Relative Path Traversal.\u003cp\u003eThis issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:34.172Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-5-5-contributor-arbitrary-html-file-read-windows-only-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to safe (6.5.5,\u00a06.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10, 5.8.10, 5.7.12, 5.6.14, 5.5.15, 5.4.16, 5.3.18, 5.2.21, 5.1.19, 5.0.22, 4.9.26, 4.8.25, 4.7.29, 4.6.29, 4.5.32, 4.4.33, 4.3.34, 4.2.38, 4.1.41) or higher version."
}
],
"value": "Update to safe (6.5.5,\u00a06.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10, 5.8.10, 5.7.12, 5.6.14, 5.5.15, 5.4.16, 5.3.18, 5.2.21, 5.1.19, 5.0.22, 4.9.26, 4.8.25, 4.7.29, 4.6.29, 4.5.32, 4.4.33, 4.3.34, 4.2.38, 4.1.41) or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress core \u003c 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32111",
"datePublished": "2024-06-25T13:35:45.596Z",
"dateReserved": "2024-04-10T19:19:25.420Z",
"dateUpdated": "2026-04-28T16:09:34.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31111 (GCVE-0-2024-31111)
Vulnerability from nvd – Published: 2024-06-25 12:54 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wor… | vdb-entry |
| https://wordpress.org/news/2024/06/wordpress-6-5-5/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automattic | WordPress |
Affected:
6.5 , ≤ 6.5.4
(custom)
Affected: 6.4 , ≤ 6.4.4 (custom) Affected: 6.3 , ≤ 6.3.4 (custom) Affected: 6.2 , ≤ 6.2.5 (custom) Affected: 6.1 , ≤ 6.1.6 (custom) Affected: 6.0 , ≤ 6.0.8 (custom) Affected: 5.9 , ≤ 5.9.9 (custom) |
Date Public
2024-06-25 12:54
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T13:49:17.784337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T13:49:38.980Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "6.5.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.4",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.4",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.4",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.6",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.8",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.9",
"status": "affected",
"version": "5.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"datePublic": "2024-06-25T12:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Automattic WordPress allows Stored XSS.\u003cp\u003eThis issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:28.063Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to safe (6.5.5, 6.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10) or higher version."
}
],
"value": "Update to safe (6.5.5, 6.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10) or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Core \u003c 6.5.5 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-31111",
"datePublished": "2024-06-25T12:54:47.977Z",
"dateReserved": "2024-03-28T06:58:01.377Z",
"dateUpdated": "2026-04-28T16:09:28.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58674 (GCVE-0-2025-58674)
Vulnerability from cvelistv5 – Published: 2025-09-23 18:47 – Updated: 2026-04-28 16:13 X_Open Source
VLAI
Title
WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/wordpre… | vdb-entry |
| https://wordpress.org/news/2025/09/wordpress-6-8-… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:15:09.886956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:17:35.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "savphill (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.\u003c/span\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:46.266Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58674",
"datePublished": "2025-09-23T18:47:02.628Z",
"dateReserved": "2025-09-03T09:03:46.831Z",
"dateUpdated": "2026-04-28T16:13:46.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58246 (GCVE-0-2025-58246)
Vulnerability from cvelistv5 – Published: 2025-09-23 17:17 – Updated: 2026-04-28 16:13 X_Open Source
VLAI
Title
WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.
This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/wordpre… | vdb-entry |
| https://wordpress.org/news/2025/09/wordpress-6-8-… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T18:30:39.501670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:37:38.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
},
{
"lang": "en",
"type": "reporter",
"value": "Timothy Jacobs"
},
{
"lang": "en",
"type": "reporter",
"value": "Peter Wilson"
},
{
"lang": "en",
"type": "reporter",
"value": "Mike Nelson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\nThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:42.821Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58246",
"datePublished": "2025-09-23T17:17:12.399Z",
"dateReserved": "2025-08-27T16:19:44.959Z",
"dateUpdated": "2026-04-28T16:13:42.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32111 (GCVE-0-2024-32111)
Vulnerability from cvelistv5 – Published: 2024-06-25 13:35 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress core < 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wor… | vdb-entry |
| https://wordpress.org/news/2024/06/wordpress-6-5-5/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automattic | WordPress |
Affected:
6.5 , ≤ 6.5.4
(custom)
Affected: 6.4 , ≤ 6.4.4 (custom) Affected: 6.3 , ≤ 6.3.4 (custom) Affected: 6.2 , ≤ 6.2.5 (custom) Affected: 6.1 , ≤ 6.1.6 (custom) Affected: 6.0 , ≤ 6.0.8 (custom) Affected: 5.9 , ≤ 5.9.9 (custom) Affected: 5.8 , ≤ 5.8.9 (custom) Affected: 5.7 , ≤ 5.7.11 (custom) Affected: 5.6 , ≤ 5.6.13 (custom) Affected: 5.5 , ≤ 5.5.14 (custom) Affected: 5.4 , ≤ 5.4.15 (custom) Affected: 5.3 , ≤ 5.3.17 (custom) Affected: 5.2 , ≤ 5.2.20 (custom) Affected: 5.1 , ≤ 5.1.18 (custom) Affected: 5.0 , ≤ 5.0.21 (custom) Affected: 4.9 , ≤ 4.9.25 (custom) Affected: 4.8 , ≤ 4.8.24 (custom) Affected: 4.7 , ≤ 4.7.28 (custom) Affected: 4.6 , ≤ 4.6.28 (custom) Affected: 4.5 , ≤ 4.5.31 (custom) Affected: 4.4 , ≤ 4.4.32 (custom) Affected: 4.3 , ≤ 4.3.33 (custom) Affected: 4.2 , ≤ 4.2.37 (custom) Affected: 4.1 , ≤ 4.1.40 (custom) |
Date Public
2024-06-25 13:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T13:40:36.313046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T19:20:35.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:06:44.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-5-5-contributor-arbitrary-html-file-read-windows-only-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "6.5.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.4",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.4",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.4",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.6",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.8",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.9",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.9",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.11",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.13",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.14",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.15",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.17",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.20",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.18",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.22",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.21",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.26",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.25",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.25",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.24",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.28",
"status": "affected",
"version": "4.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.6.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.6.28",
"status": "affected",
"version": "4.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.5.32",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.5.31",
"status": "affected",
"version": "4.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.4.33",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.4.32",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.3.34",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.33",
"status": "affected",
"version": "4.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.2.38",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.2.37",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.1.41",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.1.40",
"status": "affected",
"version": "4.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"value": "Edouard L. (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"value": "David Fifield"
},
{
"lang": "en",
"type": "finder",
"value": "x89"
},
{
"lang": "en",
"type": "finder",
"value": "apple502j"
},
{
"lang": "en",
"type": "finder",
"value": "mishre"
}
],
"datePublic": "2024-06-25T13:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Automattic WordPress allows Relative Path Traversal.\u003cp\u003eThis issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:34.172Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-5-5-contributor-arbitrary-html-file-read-windows-only-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to safe (6.5.5,\u00a06.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10, 5.8.10, 5.7.12, 5.6.14, 5.5.15, 5.4.16, 5.3.18, 5.2.21, 5.1.19, 5.0.22, 4.9.26, 4.8.25, 4.7.29, 4.6.29, 4.5.32, 4.4.33, 4.3.34, 4.2.38, 4.1.41) or higher version."
}
],
"value": "Update to safe (6.5.5,\u00a06.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10, 5.8.10, 5.7.12, 5.6.14, 5.5.15, 5.4.16, 5.3.18, 5.2.21, 5.1.19, 5.0.22, 4.9.26, 4.8.25, 4.7.29, 4.6.29, 4.5.32, 4.4.33, 4.3.34, 4.2.38, 4.1.41) or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress core \u003c 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32111",
"datePublished": "2024-06-25T13:35:45.596Z",
"dateReserved": "2024-04-10T19:19:25.420Z",
"dateUpdated": "2026-04-28T16:09:34.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31111 (GCVE-0-2024-31111)
Vulnerability from cvelistv5 – Published: 2024-06-25 12:54 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wor… | vdb-entry |
| https://wordpress.org/news/2024/06/wordpress-6-5-5/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automattic | WordPress |
Affected:
6.5 , ≤ 6.5.4
(custom)
Affected: 6.4 , ≤ 6.4.4 (custom) Affected: 6.3 , ≤ 6.3.4 (custom) Affected: 6.2 , ≤ 6.2.5 (custom) Affected: 6.1 , ≤ 6.1.6 (custom) Affected: 6.0 , ≤ 6.0.8 (custom) Affected: 5.9 , ≤ 5.9.9 (custom) |
Date Public
2024-06-25 12:54
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T13:49:17.784337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T13:49:38.980Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "6.5.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.4",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.4",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.4",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.6",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.8",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.9",
"status": "affected",
"version": "5.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"datePublic": "2024-06-25T12:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Automattic WordPress allows Stored XSS.\u003cp\u003eThis issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:28.063Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to safe (6.5.5, 6.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10) or higher version."
}
],
"value": "Update to safe (6.5.5, 6.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10) or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Core \u003c 6.5.5 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-31111",
"datePublished": "2024-06-25T12:54:47.977Z",
"dateReserved": "2024-03-28T06:58:01.377Z",
"dateUpdated": "2026-04-28T16:09:28.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}